Intrusion Prevention



This indicates an attempt to exploit a vulnerability in the Microsoft Windows WMF graphics rendering engine. A remote attacker can use the SetProcAbort function in a WMF image file to include code that will execute when the image is viewed. The attacker may be able to execute arbitrary code on the system, with administrator privileges if the image is viewed by an administrator.

Affected Products

Microsoft Windows 2000 SP4
Microsoft Windows XP SP1 and SP2
Microsoft Windows XP Professional x64 Edition
Microsoft Windows Server 2003 and SP1
Microsoft Windows Server 2003 for Itanium-based Systems and SP1
Microsoft Windows Server 2003 x64 Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE)
Microsoft Windows Millennium Edition (ME)


System compromise, arbitrary code execution.

Recommended Actions

Microsoft Security Bulletin MS06-001 addresses this issue.

CVE References